You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Srinivasa Yadlapalli (Jira)" <ji...@apache.org> on 2022/01/31 18:36:00 UTC
[jira] [Reopened] (AMQ-8449) apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue
[ https://issues.apache.org/jira/browse/AMQ-8449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Srinivasa Yadlapalli reopened AMQ-8449:
---------------------------------------
> apache-activemq-5.16.3 - How to upgrade Log4j-1.2.17.1 to Log4J 2.x to fix log4j related security issue
> -------------------------------------------------------------------------------------------------------
>
> Key: AMQ-8449
> URL: https://issues.apache.org/jira/browse/AMQ-8449
> Project: ActiveMQ
> Issue Type: Bug
> Components: AMQP
> Affects Versions: 5.16.3
> Environment: log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
> Reporter: Srinivasa Yadlapalli
> Priority: Critical
>
> log4j-1.2.17.1.jar file exists in "apache-activemq-5.16.3\lib\optional" folder which was flagged by security team for vulnerability issue...
> Please advice how to upgrade this to the latest log4j 2.x to fix vulnerability issues.
> The log4j:log4j package is vulnerable to Remote Code Execution (RCE) due to Deserialization of Untrusted Data. The configureHierarchy and genericHierarchy methods in SocketServer.class do not verify if the file at a given file path contains any untrusted objects prior to deserializing them. A remote attacker can exploit this vulnerability by providing a path to crafted files, which result in arbitrary code execution when deserialized.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)